OpenAI has begun rolling out Lockdown Mode to all personal ChatGPT accounts, including the Free, Go, Plus and Pro tiers, plus self-serve Business plans. The setting launched in February for enterprise customers, pitched at executives and security teams facing targeted attacks; the consumer rollout arrives four months later via Settings, under Security.
The design is deterministic rather than probabilistic. Instead of trying to detect prompt injections, Lockdown Mode removes the channels an attacker could use to exfiltrate data: web browsing is limited to cached pages so no live network requests leave OpenAI's network, while Deep Research, agent mode, Canvas networking and file downloads are disabled outright, per OpenAI's help documentation.
OpenAI is explicit that the mode does not stop injected instructions from reaching the model through uploaded files or cached content; it narrows what a successful injection can do once inside. That is a notable admission from the company that ships agent mode: for users handling sensitive data, the honest mitigation today is switching the agentic features off.